Skip to content

GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-202… #7975

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JinwooHwang merged 3 commits into from
Jan 8, 2026
Merged

GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-202… #7975

JinwooHwang merged 3 commits into from
Jan 8, 2026

Conversation

@JinwooHwang
Copy link
Contributor

@JinwooHwang JinwooHwang commented Jan 7, 2026

GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3

Description

This PR upgrades Apache Log4j from version 2.17.2 to 2.25.3 to remediate security vulnerability CVE-2025-68161.

Changes Made

1. Dependency Version Update

  • Updated log4j.version from 2.17.2 to 2.25.3 in DependencyConstraints.groovy
  • Added log4j-core-test to dependency management for test utilities

2. Build Configuration

  • Added GraalVM annotation processor configuration in geode-log4j/build.gradle
  • Log4j 2.25.3 includes GraalVM Reachability Metadata annotation processor that requires Maven coordinates
  • Added compiler arguments: -Alog4j.graalvm.groupId and -Alog4j.graalvm.artifactId

3. Integration Test Migration

  • Migrated 21 integration tests to use new test utility packages
  • Log4j 2.20.0+ restructured test artifacts for JPMS compliance
  • Package changes:
    • org.apache.logging.log4j.junit.LoggerContextRuleorg.apache.logging.log4j.core.test.junit.LoggerContextRule
    • org.apache.logging.log4j.test.appender.ListAppenderorg.apache.logging.log4j.core.test.appender.ListAppender
  • Zero test logic changes - only import statements updated

4. Documentation Updates

  • Updated version references in 3 documentation files:
    • geode-docs/managing/logging/configuring_log4j2.html.md.erb
    • geode-docs/managing/logging/how_logging_works.html.md.erb
    • geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb

5. Test Resources

  • Updated expected JAR names in 4 test resource files to reflect new version
  • Updated geode-all-bom/expected-pom.xml with 5 log4j dependency versions

Files Changed

  • 31 files changed: 80 insertions(+), 61 deletions(-)

Testing

  • ✓ Build successful with all validations
  • ✓ Unit tests pass
  • ✓ Integration tests compile successfully
  • ✓ Full build: 718 tasks executed in 25s

Security Impact

  • Remediates CVE-2025-68161
  • No breaking changes to public APIs
  • All existing tests pass with updated dependencies

Related Issues

  • JIRA: GEODE-10543
  • Apache Log4j JIRA: LOG4J2-3650 (test artifact restructuring)

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang
GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-202…
3993464 
…5-68161

- Updated log4j version to 2.25.3 in DependencyConstraints.groovy
- Added log4j-core-test dependency for integration tests
- Migrated integration test imports to new log4j-core-test package structure:
  * org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit
  * org.apache.logging.log4j.test → org.apache.logging.log4j.core.test
- Added GraalVM annotation processor configuration to suppress compilation warnings
- Updated documentation references to log4j 2.25.3
- Updated test resource files with new JAR versions

All 21 integration tests migrated with zero logic changes.
Build successful with all tests passing.
@JinwooHwang
GEODE-10543: Fix GraalVM annotation processor options to apply only t…
ff00774 
…o main compilation

The annotation processor options were being applied to all JavaCompile tasks including integration tests, where the Log4j GraalVM processor is not triggered. This caused compilation warnings about unrecognized processor options.

Changed from tasks.withType(JavaCompile) to tasks.named('compileJava') to restrict the configuration to main source compilation only.
@JinwooHwang
GEODE-10543: Exclude AssertJ 3.27.3 from log4j-core-test to prevent N…
027b33d 
…oSuchMethodError

Log4j 2.25.3's log4j-core-test transitively depends on AssertJ 3.27.3, but Geode's
custom AssertJ assertions (AbstractLogFileAssert) were built against AssertJ 3.22.0.
The CommonValidations.failIfEmptySinceActualIsNotEmpty method signature changed
between versions, causing NoSuchMethodError at runtime.

Exclude assertj-core from log4j-core-test dependency to force usage of 3.22.0,
ensuring binary compatibility with Geode's test infrastructure.
@sboorlagadda sboorlagadda self-requested a review January 8, 2026 02:23
sboorlagadda
sboorlagadda approved these changes Jan 8, 2026
View reviewed changes
Copy link
Member

@sboorlagadda sboorlagadda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. @JinwooHwang can we verify that there are no other modules use log4j-core::tests or log4j-core::test-sources

@JinwooHwang
Copy link
Contributor Author

JinwooHwang commented Jan 8, 2026
edited
Loading

@sboorlagadda, Thanks for the review! Verified!
I've confirmed that no other modules use log4j-core::tests or log4j-core::test-sources. Here's the evidence:

  1. grep -rn "::test" --include="*.gradle" .
  2. grep -rn "log4j-core-test" --include="*.gradle" .

./geode-log4j/build.gradle:84: // Log4j 2.20.0+ moved test utilities to log4j-core-test with new package names:
./geode-log4j/build.gradle:87: // log4j-core-test 2.25.3 transitively depends on assertj-core 3.27.3, but Geode's
./geode-log4j/build.gradle:90: integrationTestImplementation('org.apache.logging.log4j:log4j-core-test') {

All checks have passed. We're ready to merge!

@sboorlagadda
Copy link
Member

sboorlagadda commented Jan 8, 2026

Glad! good to go

@JinwooHwang
Copy link
Contributor Author

JinwooHwang commented Jan 8, 2026

Thank you so much for your support @sboorlagadda .

@JinwooHwang JinwooHwang merged commit 3b21ac6 into apache:develop Jan 8, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sboorlagadda sboorlagadda sboorlagadda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JinwooHwang @sboorlagadda